]]>http://blogs.vmware.com/security/2015/02/vmware-product-security-white-paper-published.html/feed0VMware products and “Ghost”, glibc gethostbyname* buffer overflow (CVE-2015-0235)http://blogs.vmware.com/security/2015/01/vmware-products-ghost-glibc-gethostbyname-buffer-overflow-cve-2015-0235.html
http://blogs.vmware.com/security/2015/01/vmware-products-ghost-glibc-gethostbyname-buffer-overflow-cve-2015-0235.html#commentsFri, 30 Jan 2015 00:50:45 +0000http://blogs.vmware.com/security/?p=1308This Tuesday a buffer overflow in the gethostbyname family of functions (“gethostbyname*”) in the widely used glibc library (CVE-2015-0235) was disclosed. As soon as we became aware of this vulnerability we began investigating. We regarded it as a significant vulnerabiliy since the original advisory detailed remote code execution in the Exim mail server.

We quickly realized that exploitability of this vulnerability depends on where and how the vulnerable function is invoked. In particular, if an attacker cannot control the arguments passed to the gethostbyname* functions, then the overflow cannot be triggered. Suffice it to say, the applicability of this vulnerability to the Exim mail server, cannot be generalized to all software using glibc, or even to all invocations of gethostbyname*.

We have been reviewing the use of glibc and gethostbyname* in our products. Based on our current analysis, we have not identified any VMware product that is affected by this issue. Many of our products do use a vulnerable version of the glibc library, but we have not found a way to pass untrusted input to gethostbyname*. Our KB on this issue is published here.

We take the security of customers extremely seriously. Even though no VMware product has been found to be exploitable using this issue, we will update the glibc library in normal upcoming maintenance releases.

The new advisory details a privilege escalation (CVE-2014-8370), denial of service issues (CVE-2015-1043, CVE-2015-1044) in Workstation, Fusion and ESXi and updates to third-party libraries in VMware vSphere.

Customers should review the security advisory and direct any questions to VMware Support.

The advisory documents CVE-2014-8373, a critical remote privilege escalation vulnerability in vCloud Automation Center (vCAC). It is important to note that the provided patches will temporarily disable the vCAC “Connect (by) Using VMRC” functionality for directly connecting to vCenter Server.

Customers should review the security advisory and direct any questions to VMware Support.

]]>http://blogs.vmware.com/security/2014/12/new-vmware-security-advisory-vmsa-2014-0013.html/feed1Changes to Transparent Page Sharing reminder and new and updated VMware Security Advisorieshttp://blogs.vmware.com/security/2014/12/changes-transparent-page-sharing-reminder-new-updated-vmware-security-advisories.html
http://blogs.vmware.com/security/2014/12/changes-transparent-page-sharing-reminder-new-updated-vmware-security-advisories.html#commentsFri, 05 Dec 2014 05:00:28 +0000http://blogs.vmware.com/security/?p=1290As previously noted (Oct 16 and Nov 24) VMware has introduced new TPS (Transparent Page Sharing) management options that give administrators more granular control over which Virtual Machines have the potential to share duplicate pages of memory with each other. The previous ESXi patch releases incorporated the additional functionality but did not change the default behavior. Todays update of ESXi 5.1 is the first release that restricts TPS to individual VMs and disables inter-VM TPS by default unless an administrator chooses to re-enable it. Please see KB 2097593 for full details on the functionality.

Additionally VMware has today released the following new and updated advisories:
NewVMSA-2014-0012

]]>http://blogs.vmware.com/security/2014/12/changes-transparent-page-sharing-reminder-new-updated-vmware-security-advisories.html/feed1Inter-VM Transparent Page Sharing ESXi default changing (reminder)http://blogs.vmware.com/security/2014/11/inter-vm-transparent-page-sharing-esxi-default-changing-reminder-2.html
http://blogs.vmware.com/security/2014/11/inter-vm-transparent-page-sharing-esxi-default-changing-reminder-2.html#commentsTue, 25 Nov 2014 02:05:22 +0000http://blogs.vmware.com/security/?p=1287The additional Transparent Page Sharing (TPS) management capabilities that we discussed in our blog post of October 16 have been out for about a month for ESXi 5.1 and ESXi 5.5. The same capabilities for ESXi 5.0 will follow next month.

While the recent ESXi patches do not change any TPS setting, the upcoming ESXi Update/patch releases planned for 2014 and Q1 of 2015 will. As we explained in our previous TPS post, the default setting for inter-VM TPS will be such that TPS among virtual machines will no longer be enabled by default. Customers are advised to review the usage of TPS in their environment (see KB 2091682) and plan accordingly.

Also we would like to take the opportunity to mention that the capability of inter-VM TPS is not removed from ESXi and that it can be re-enabled either system wide or for groups of VMs by using the new salting mechanism (see KB 2091682).